X-Frame-Options Header
Resolved
I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.
I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.
The same problem 
Note: Please use the OWASP Secure Headers Filter instead.This can be resolved at the Tomcat level by implementing HTTP Header Security.
For Tomcat 8 (and possibly earlier)
Simply add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> tag:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>$optionHere</param-value> </init-param> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>Where $optionHere will signify one of: DENY, SAMEORIGIN, ALLOW-FROM. As documented in the Tomcat Configuration docs.
For Tomcat 9 (and possibly later)
It needs to be included in the web.xml file found in the /appserver/conf directory.In addition to this change, the init-param values need to be contained within the filter block itself (see the example below):
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter>In addition to this, you would need to include the httpHeaderSecurity filter in the same file (example of the filter below):<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>Giving you a full block like this:As always, if still facing issues, please let us know and we will provide further guidance.
Regards,
Yellowfin Support Team
Note: Please use the OWASP Secure Headers Filter instead.This can be resolved at the Tomcat level by implementing HTTP Header Security.
For Tomcat 8 (and possibly earlier)
Simply add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> tag:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>$optionHere</param-value> </init-param> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>Where $optionHere will signify one of: DENY, SAMEORIGIN, ALLOW-FROM. As documented in the Tomcat Configuration docs.
For Tomcat 9 (and possibly later)
It needs to be included in the web.xml file found in the /appserver/conf directory.In addition to this change, the init-param values need to be contained within the filter block itself (see the example below):
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter>In addition to this, you would need to include the httpHeaderSecurity filter in the same file (example of the filter below):<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>Giving you a full block like this:As always, if still facing issues, please let us know and we will provide further guidance.
Regards,
Yellowfin Support Team
You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.
I faced the same error when displaying YouTube links. For example: https://www.youtube.com/watch?v=8WkuChVeL0s
I replaced watch?v= with embed/ so the valid link will be: https://www.youtube.com/embed/8WkuChVeL0s
It works well.
Try to apply the same rule on your case.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.
You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.
I faced the same error when displaying YouTube links. For example: https://www.youtube.com/watch?v=8WkuChVeL0s
I replaced watch?v= with embed/ so the valid link will be: https://www.youtube.com/embed/8WkuChVeL0s
It works well.
Try to apply the same rule on your case.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.
Hi Kevin,
I hope all is well,
Thank you for the additional input for this, we appreciate feedback from all users.
Regards,
Mark
Hi Kevin,
I hope all is well,
Thank you for the additional input for this, we appreciate feedback from all users.
Regards,
Mark
Replies have been locked on this page!